Mitigating Distributed Denial of Service Attacks Using a ProportionalIntegralDerivative Controller

1
Mitigating Distributed Denial of Service Attacks
Using a Proportional-Integral-Derivative
Controller

• Marcus Tylutki
• lttylutki_at_cs.ucdavis.edugt

2
Outline

• Response to DDoS (Overview)
• Control Theory Background
• PID Control Law
• DDoS response model utilizing PID Control
• Experimental Results
• Comparison to existing DDoS response models

3
Response to DDoS

• DDoS Examples
• Stacheldraht
• Trinoo
• Tribal Flood Network
• Current response utilizes 2 main methods
• IP Traceback
• Bandwidth pushback

4
Classic Control Theory
(Unknown and Known) Disturbances
System
Observed Value, vo
System Changes, sc
Controller
Desired Value, vd
5
PID Control Law

• The control signal has 3 components
• Proportional Mode
• c(t) KC e(t) cb
• Integral Mode Compensates error buildup over
  time
• c(t) (KC/?I) ? e(t) dt cb
• Derivative Mode Attempts to match rate change
• c(t) KC ?D d/dt ( e(t) ) cb

6
Using PID Control Law to mitigate DDoS effects
7
Using PID Control Law to mitigate DDoS effects
8
Necessary Assumptions

• A sensor exists which can determine whether a
  packet is part of a DDoS attack or legitimate.
  (probabilistic)
• Webscreen WS100 claims to do this for web
  servers.
• The flow of packets through any border router
  headed towards the protected network can be
  detected. (iTrace)
• A technique exists for dropping packets heading
  towards the protected network at the border
  router. (Traffic shaping)
• The border router that forwarded a particular
  DDoS attack packet can be identified. (CEF)

9
Goals of the Approach

• Bound the total amount of traffic passing through
  to the protected network
• Maximize the percentage of legitimate packets in
  the flow reaching the protected network
• Minimize the overall impact of overhead produced
  by this method

10
Calculation of PID Control Variables

• Percent legitimate traffic
• x(t) 1 (Attack Flow/Total Flow)
• Error used for future predictions
• e(t) zideal(t-1) z(t-1)
• e(t) ( 1 (Limit / Flow(t-1) ) z(t-1)
• Predicted block percentage
• z(t) c(t) z(t-1)

11
Calculation of c(t)

• Proportional Control (P)
• c(t) KCe(t)
• Proportional Derivative Control (PD)
• c(t) KCe(t) ?D d/dt( e(t) )
• d/dt( e(t) ) ? ( e(t-1) e(t-2) ) / ?t
• Proportional Integral Derivative Control (PID)
• c(t) KCe(t) ?D d/dt( e(t) ) (1/ ?I) ? e(t)
  dt
• ? e(t) dt ? ?t ? e(i) i 1, t

12
PID Simulation Results
13
PID Sim. Results (Contd)
14
PID Sim. Results (Contd)
15
PID Sim. Results (Contd)
16
PID Sim. Results (Contd)
17
Experiment Setup
comm. server
comm. client
comm. client
attacker
attacker
firewall server
firewall server
PID controller
xeno
baruntse
izzy
18
Assumptions of the Experiment

• Uniform packet weights
• Equal impact on protected services
• One DDoS target
• Firewall servers in place
• Limited types of spoofed packets
• Can not spoof across foreign networks
• All DDoS traffic is over TCP/IP

19
Assumptions of the Experiment (contd)

• PID control parameters are static
• Attack packets are easily distinguished.
• All packets are examined
• 100 accuracy
• All connections are authenticated using SSL
• Attacks do not originate from inside the
  protected network
• Attacks do not bypass the TCP stack

20
Experiment Configurations

• Border router firewall
• dummynet
• ipfw
• ipfw pipe 1 config plr .50
• Comm. Client, Attacker
• Uses a Poisson probability distribution to
  calculate delay
• Transmissions are single characters (SCTs)
• A for attack packet
• B for legitimate packet
• izzy had a majority of attack traffic with some
  legitimate traffic
• baruntse had a majority of legitimate traffic
  with some attack traffic

21
PID Control within the Experiment

• ?t 20 seconds
• z(t) does not translate from packets to
  transmissions
• z(t) .60 dropped 95 of connections
• z(t) .05 dropped 39 of connections
• z(t) .01 dropped 8 of connections
• Maximum block z(t) set to 99

22
Results of the Experiment
P, PI, and PD Control
Limit
400
Baseline
350
300
Pushback
250
Kc 1.2
200
Traffic (SCTs / second)
150
Kc 1.3,
100
Td .2
50
Kc 1.5,
0
Ti 10
0
41
86
127
167
207
247
296
339
380
423
Time (sec)
Results of Proportional, Proportional Integral,
and Proportional Derivative Control
23
Results of the Experiment (contd)
24
Benefits of each PID control mode

• Proportional
• Traffic is truly random, yet stabilizes around an
  average
• Proportional-Integral
• As above, yet includes undetermined errors that
  can be compensated
• Proportional-Derivative
• Traffic contains some non-linear patterns that
  shift from time to time
• Proportional-Integral-Derivative
• Traffic that contains patterns and undetermined
  errors

25
Future Work

• Chaotic maps
• Multidimensional PID control
• Packet weights
• Support for non-border routers
• Commercial PID Controllers
• Faster, more accurate PID parameter tuning